Thank you for watching.
Thank you for watching.
Thank you for watching.
I'm Bing Zhong, and this is Zhan Zhi, aka Sealfit on the internet, and this is Husky.
And the left hand is Yan Ming Chen, he works in Foamstone now.
Basically, we three are working for ISS Taiwan.
And I'm happy to have this opportunity to present my little research about what I did in...
About one and a half years ago, I did a country...
I did a worldwide survey of web server security in Taiwan.
And I did it again about half years ago, and I'm happy to have this chance to present a little comparison between these two surveys.
And this is the outline of today's speech.
I will tell you why I do this kind of research.
Basically, because it's fun.
And also, the methodologies, what I use in the survey, and little analysis and conclusions.
What I do for this kind of survey is, one and a half years ago, I was writing my master paper in network security.
And I like to know the status of...
The internet security in my country.
Because one and a half years ago, there's some e-commerce site.
They are just rising.
And on that time, I just like to know how secure is the web servers, because so many people do the...
Do transaction on the internet.
If the platform is not secure, how can people expect that their privacy and their...
Their information, they give the vendors on the internet, this information could be stolen by hackers or other criminals.
So I just like to know how secure the web server is.
And this time, I did it again to compare the status one and a half year ago and six months ago.
I'd like to know...
Is there significant improvement, because for less years, there are so many attacks, hackers, hacker event on the internet.
Such as the DDoS to Yahoo and Ebays.
And also, three months ago, the cyber war between US and mainland China.
And this happens...
After the cyber war...
There is some university of the president in Taiwan, and we are very worried about that the China strike Taiwan website, because of political issues.
So we did another survey on government website that I can give you some static numbers.
Okay.
Thank you.
Also, I...
After my research, I propose some remedies to government to ask them to set up the policies and the standard to the e-commerce site or any government agencies who want to attach to the internet.
Also, this methodology may apply to other information warfare.
Research.
Okay.
There is two different ways when we do the network security survey.
The first is we first.
That means we survey a lot of...
For single service around the internet in Taiwan.
And also, there is deep first.
That means we want to know the details of security in one place.
one such as companies or campus network.
We want the detailed information
and to scan all the vulnerabilities inside the network.
And there's two kind of method
when we do this kind of survey.
We can just grab the banners and tell them
you are running IIS server
and you have this kind of vulnerabilities
just grabbing the banner.
Or you can use the security scanner
such as Nessus or ISS scanners
or CyberCop scanners
to scan all the vulnerabilities on the server.
So basically what I do is just banner grabbing
for the country-wide server
and I sample about 500 servers
for some intrusive tests.
Oh, well.
Okay, here we go.
Okay, this is the methodology I used
about one and a half years ago.
I do some, this is the goals.
We want to do some web security survey
and we have two kind of,
there are two factors that affects the website security.
One is that the administrator installs the vulnerable CGI's.
One is that the administrator installs the vulnerable CGI's.
So I did that.
This kind of CGI surveys.
And I also collect all the vulnerable CGI informations
and try to figure out that if the server contains
this kind of vulnerable CGI's.
And the other factor is that the server
has some vulnerabilities such as both buffer flows
in IIS server and also I collect all the banners
and conclude the,
conclude the survival rate of the web server.
But this is one and a half year ago
that I assume all the administrators
didn't apply the proper patch of the,
and remedies of some of the security related issues.
And I figure out that most administrators are not,
are careless of the security.
So I, what I did basically is to survey the
administrator's behavior to see if they apply
the proper patch of the web server or CGI's.
And I make my conclusion and suggestions.
If there's any question please stop me.
If there's any question please stop me.
If you know how serious the problem is,
we have to classify all the internet attacks.
Basically it's something like Unix command,
rewrite execution, the permissions.
And the security information that the hacker can gather in
and know what the information is.
internal configuration of the web server is.
This is security information leakage.
Also, some servers have denial of service problems.
They will acquire all the essential
resource of the web server
and cause the downgrade of the internet service
or just stop them.
And some people install some SOC server
or proxy server that will relay the internet attack
from the hackers, such as FingerD and proxy server,
SOC5 servers, they all have the same problem
if you don't apply the assist control list to them.
And some
security vulnerabilities cause the remote file access
includes a remote file read
that the hacker will know the internal configuration
of your server or other services.
And remote file write is more serious
because the attacker can simply just modify
your configuration file
and change the server to whatever he wants.
Also, there's some remote file, remote command execution.
Everybody knows that IS warms three months ago.
That is a simple remote command execution
that echoes the patterns to your homepage.
And this differs to different
conducted refills.
That cause the attacker guess the user show
or get the 형.
And the most serious one is that
the attacker has already compromised the system
and changed, sorry,
and planed up,
install the backdoor in the system
that they can easily access the system in the future.
Or the administrator are so careless
that execute the Trojan host such as back office
or other sub-7, this kind of backdoors
that the attacker can easily just get
the full control of your system.
Why I do this classification,
because I just want to build a quantitative model
when we do a network assessment.
This may be helpful if you want to do this kind of survey.
Yes, please.
How did you get what you thought was a comprehensive list
of things like TTI risks,
strict security forms, or vulnerability?
Okay, there are many security information on the internet.
What I do is basically collect
all the security related information about web server
in security focus or other mailing list.
Did you go to the ISS steps
to get the folks you're working with
and use those as the primary list?
Yes or no?
Oh, no.
Basically because ISS in Taiwan is not working
so close to ISS USA.
Yep.
And I started two years ago.
I'm not working in ISS yet.
So what I do is basically grabbing
all the information on the internet.
Okay, this is a sample that we can know
what the web server you are using.
What I use is the head method
that most of the IDS now will cause alert of this IDS
because head is not that common on the web browsing.
And we can see the server.
It is running Apache.
And all the extensions were listed behind the web server.
And this is an example that we can find out
whether the CGI exists on the remote web server.
We can just simply get the CGI's.
By the HTTP 1.0 method.
And if you fail to get the,
if you got 200 okay,
it means that the CGI do exist on the remote server.
If you got a 404 not found,
well it means the CGI is not installed on remote server.
Also you can get some extra information
from the CGI's such as the server environment or et cetera.
And this is a subject I have surveyed in this year.
And I do some reverse lookup on the reverse lookup
for the domain name.
Make sure that they are in .com, .edu, .net, .org or .
Yeah, this is, these servers are all in Taiwan.
Because I think I don't want to get
into the international travel.
Yeah.
And amazingly I find that about,
about 60% of the servers don't have the FQDN.
Well some people just say it's not a good idea
to have a FQDN because you post more information
to the attacker.
But in some incident response point of view,
it is more easily to know
where the,
where the,
who the server is.
Where the server belongs to.
And you got the contact information to the remote site.
And I randomly select the IPs in Taiwan network.
And there's about
140,000 web server in Taiwan two years ago.
And I just,
I randomly select some of them in this survey.
Okay.
It's probably because they don't have the reverse lookup,
FQDNs.
Yeah.
Because most of the education,
education domains and government domain,
education domains they have built FQDN two years ago.
And also the .net.
And I guess most of the .com falls into the not verified part.
And I choose the,
first I choose these four CGI's because they are,
there are some time sequence.
And first I begin this research and I just like to know
if there's some trend that
as the time goes by maybe the security information is
more common to the administrators.
And they know how to,
how to apply the proper patches to the CGI's
or remove the CGI's.
And,
and after I complete this survey I just figure out that
this is not objective to,
to select these four CGI's because they are not
correlated.
And comparing these,
these CGI's are meaningless.
I pick these four,
four well known vulnerabilities such as MSADC,
co-browse and co-browse to these three CGI's can,
can, will cause the,
the attacker to,
to view the,
all the,
view and execution all the command or CGI's,
no, ASP, ASP files or any,
any kind of files on the remote side.
And ISS,
ISS Unicode is a remote buffer flow that will,
that will cause the attacker to execute any command on the
remote site.
And this is the web server survey from the netcraft.com.
Probably many of you know this,
this institute do the continuous,
continuous survey for the servers on the,
web server on the internet.
That we see the,
most of the servers on the internet runs Apache server.
And this is,
but in,
I think in most the,
Azure countries they are not running Apache,
they are choosing IS,
IS server from Microsoft because its,
is cheaper and hardware is cheaper too.
Yeah.
Yeah, because most majors in Taiwan or in Asia country,
they just trust Microsoft and if you tell them
why don't you run Linux FreeBSD with Apache server,
they'll tell you that they never heard of that.
They don't trust the vendor.
Yeah.
It's weird, but it's the truth.
Yeah.
Oh, what do you mean?
Well, in some part of, in many China, yes.
In some of Asia country, probably.
Yeah.
And also because of the such as Solaris,
the price is, I think it's more,
I think Microsoft is cheaper than Solaris, is it?
Yeah, yeah.
Okay, so this is the web server in Taiwan.
About 50% of them is running NT or Windows 2000
with IIS server.
And about 25% of them is Apache server.
Oh, shit.
Yeah.
And,
this is the result of the sample
that I do in this January.
I didn't include the web server version
in this information leakage.
I just focused on the co-browse and the MSADC,
this kind of vulnerability that will show the code
or the files in remote server.
And I have a complete list for this vulnerability.
It's in my paper.
But it is written in Chinese,
so I don't think you guys have the interest
to read these Chinese papers.
And amazingly, about 60% of the IIS web server
has vulnerabilities.
This is for the only web,
wait, banner grabbing.
Sorry.
I'm a little nervous because
I've never speak to so many people before.
Yeah.
Yeah, because all the information I gather
that is IIS servers 4.0, 3.0, 1.0, 1.0, 1.0, 2.0,
and 5.0, they all have the vulnerability
that will get the remote root, yeah.
But you have to survey the patch behavior
from the administrator, because if you do
just default install and didn't install any patch,
they do have vulnerabilities, yeah.
In this server, I didn't use them.
I just grabbed the banners, yeah.
And this is a
these are the four vulnerabilities.
Basically, I don't think the unicode is CGI problem.
Okay.
And these are the four CGIs I do,
I survey in this research.
And I give the
this vulnerability name and description in the slide.
And also the publish date.
And I randomly choose 500 server in the Taiwan web server.
And try to find out how many of them has vulnerable CGIs.
And what I do, basically, is from the sample of all the servers I surveyed,
and I randomly choose 500 of them.
And from these 500, I choose another 30 of them
to see if the CGIs are really vulnerable,
or some, you know, some servers just can fake information
that give you 200 okay, even if they don't have these
CGIs on the web server.
And the,
.
significant Indiscernible
You see the star here because most of,
some of the administrator didn't use the default install of the,
. . MSAD input. MSAD built in and hooked. MSAD doesn't pick method input. Msad eats viaje п. U see the __________. Because most of, than some lost her ______. I am none of that ______
ADC, IS server, I think we find 11 of them
are available to this kind of tech.
But I think if we have enough information
or we try some other default path,
the 11 servers may be 20 of them or 25 of them.
We didn't have enough time to try all the
possible folders on the remote side.
As we can see, 99 out of 120,
that means 82.5% of the CGI's are vulnerable.
So I think the administrator didn't pay a lot of,
pay enough attention on the security
because they didn't apply the proper patch
of remote server.
And here's the conclusion.
The most important is about 50%, 55% of the remote web
server can may grant the root access to the attacker.
And I do some comparison between 2000 and 2001.
And I didn't see significant improvement
of the security overview.
And probably because of the environment change,
when I do the research on year 2000,
the Apache server and IS server is about one to one.
40% of the Apache server and 40% of the IS server.
And in this year, we can see that...
Okay, in the survey in Y2K,
information leakage about 45.
And 2001 is about 33% that will reveal your code
to remote attacker.
And as for the denial of service,
there is about 25 in year 2000 and 34 in year 2001.
As for the unauthorized remote access,
including remote user share and remote,
sorry, remote file read and remote file write,
is 34% in year 2000 and 33 in year 2001.
And this,
this data's are very close and,
and didn't see the,
didn't see any significant difference
between these two year.
And but for the administrator's privilege,
that will oppose the attacker can
execute any command in administrator's privilege.
In year 2000, it's about 45%.
And in 2001, it's about 55.
So, I think, I don't think the Wave server
is more secure in Taiwan for two years.
And I'm going to make my conclusion on the presentation
about the Wave server.
I think FQDN is important to internet infrastructure
when we do some incident response.
The percentage of the available FQDNs
is less than 40%.
So, I think there's a lot of room for improvement.
As for the CGI surveys,
I think many administrators didn't pay enough attention
on the, all the vulnerability informations
that they didn't remove the vulnerable CGI
or they didn't apply the proper patch to the CGI's.
About administrator behavior,
I just want to know if they are too stupid or too lazy.
Yeah.
If they are too, too stupid, we can,
do some education to let them know your,
your server has problem.
There is problem in your server.
Yeah, if they are too lazy, we can set up the standard
or SOPs that, as companies, to set up the proper policy
for their server security.
Yeah, I find out that most of the administrators are,
not care of the, care about the internet security.
And I, I think it's more important to let them know
what's, what's, what's the problem in their servers.
So, I propose to the government that we should set up
the education course to the administrators.
